Monitoring network management activity

ABSTRACT

A device is configured to receive, from a network device, a first message associated with a network management activity performed by using an application of the network device. The device is further configured to determine whether the first message satisfies a criterion, and to classify the first message based on a type of the application when the first message satisfies the criterion. The device is also configured to receive, from the network device, a second message associated with the network management activity; to correlate the second message with the first message after classifying the first message; and to create a record for the network management activity based on the first message and the second message by using rules associated with the type of the application.

BACKGROUND

Communication networks typically include network devices, such asrouters, firewalls, switches, or gateways, which transfer or switch datafrom one or more sources to one or more destinations. The networkdevices may operate on the data as the data traverses the network, suchas by forwarding or filtering the data. Operators, such as networkadministrators, of the network devices may use different applications ofthe network devices to perform network management activities. Examplesof network management activities may include updating securityprotocols, updating forwarding protocols, updating a virtual local areanetwork (VLAN) configuration, etc. Each one of the applications may bedeveloped independently and/or by different entities. As a result, theapplications may be unable to communicate information regarding thenetwork management activities to one another. Therefore, the operatorsmay be unable to monitor all of the network management activities.

SUMMARY

According to one aspect, a method may include receiving, by a computingdevice and from a network device, a first message associated with anetwork management activity performed by using an application of thenetwork device; determining, by the computing device, whether the firstmessage satisfies a criterion; classifying, by the computing device, thefirst message based on a type of the application when the firstsatisfies the criterion; receiving, by the computing device and from thenetwork device, a second message associated with the network managementactivity; correlating, by the computing device, the second message withthe first message after classifying the first message; and creating, bythe computing device, a record for the network management activity basedon the first message and the second message by using rules associatedwith the type of application.

According to another aspect, a device may include a processor. Theprocessor may receive, from a network device, a first message associatedwith a network management activity performed by using an application ofthe network device; determine whether the first message satisfies acriterion; classify the first message based on a type of the applicationwhen the first message satisfies the criterion; receive, from thenetwork device, a second message associated with the network managementactivity; correlate the second message with the first message afterclassifying the first message; and create a record for the networkmanagement activity based on the first message and the second message byusing rules associated with the type of the application.

According to still another aspect, one or more computer-readable media,containing one or more instructions, which when executed by at least oneprocessor of a computing device, may cause the at least one processorto: receive, from a network device, a first message associated with anetwork management activity performed by using an application of thenetwork device; determine whether the first message satisfies acriterion; classify the first message based on a type of the applicationwhen the first message satisfies the criterion; receive, from thenetwork device, a second message associated with the network managementactivity; correlate the second message with the first message afterclassifying the first message; and create a record for the networkmanagement activity based on the first message and the second message byusing rules associated with the type of the application.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate one or more implementationsdescribed herein and, together with the description, explain theseimplementations. In the drawings:

FIG. 1 is a diagram of an example network in which systems and/ormethods described herein may be implemented;

FIG. 2 is a diagram of example components of one or more devices of FIG.1;

FIG. 3 is a diagram of example functional components of a network deviceof FIG. 1;

FIG. 4 is a diagram of example functional components of a logging serverof FIG. 1;

FIG. 5 is a diagram of an example record that stores informationassociated with a network management activity;

FIG. 6 is a flow chart of an example process for generating andtransmitting messages associated with a network management activity;

FIG. 7 is a flow chart of an example process for creating a record;

FIG. 8 is a diagram of an example user interface that allows an operatorto view information associated with a network management activity; and

FIG. 9 is a flow chart of an example process for presenting informationof a record.

DETAILED DESCRIPTION

The following detailed description refers to the accompanying drawings.The same reference numbers in different drawings may identify the sameor similar elements.

A system and/or method, described herein, may enable monitoring ofnetwork management activities. For example, a logging server mayreceive, from a network device, a message associated with a networkmanagement activity. The logging server may determine whether themessage satisfies a criterion. In one example, the logging server maydetermine that a particular message satisfies the criterion when theparticular message includes one or more particular parameters. When thelogging server determines that the message satisfies the criterion, thelogging server may classify the message based on a type of applicationused by the network device to perform the network management activity.Thereafter, the logging server may receive, from the network device,other messages that are associated with the network management activity,and may correlate the other messages to the original message. Thelogging server may create a record, based on the original message andthe other messages, for the network management activity. The loggingserver may receive a request for information associated with the networkactivity from another network device. The logging server may retrievethe information from the record, and may provide the information inresponse to the request.

In one example implementation, each record may include information frommessages that were generated by only a single network device when aparticular application, of the single network device, was used toperform a network management activity during a single session. Thesingle session may include, for example, a log-in event, a log-outevent, and/or one or more other types of events that may occur betweenthe log-in event and the log-out event. The log-in event may occur whenan operator logs into the particular application to perform the networkmanagement activity. The log-out event may occur when the operatorlogs-out of the application at the end of the single session.

As a result, the logging server may organize, into records, informationfrom messages associated with different network management activitiesthat are performed by using different applications of different networkdevices. The logging server may provide information from the records toallow operators, such as network administrators, of network devices tomake decisions as to which new network management activity needs to beperformed based on the previous network activities. For example, anoperator may decide to perform a network management activity to fix aproblem caused by two conflicting network management activities.

FIG. 1 is a diagram of an example network 100 in which systems and/ormethods described herein may be implemented. As shown in FIG. 1, network100 may include a network 105, which includes a group of network devices110-1, . . . , 110-N (where N≧1) (hereinafter referred to collectivelyas “network devices 110” and individually as “network device 110”) and alogging server 120, and a client device 130. While FIG. 1 shows aparticular number and arrangement of devices, network 100 may includeadditional, fewer, different, and/or differently arranged devices thanare illustrated in FIG. 1. Alternatively, or additionally, one or moreof the devices of network 100 may perform one or more functionsdescribed as being performed by another one or more of the devices ofenvironment 100. Devices of network 100 may interconnect via wiredconnections, wireless connections, or a combination of wired andwireless connections.

Network 105 may include a service provider network, such as a local areanetwork (LAN); a wide area network (WAN); a metropolitan area network(MAN); a telephone network (e.g., the Public Switched Telephone Network(PSTN) or a cell network); the Internet; or a combination of networks.

Network device 110 may include one or more network devices that receivetraffic (e.g., packets) and forward the traffic toward its destination.For example, network device 110 may take the form of a routing device, aswitching device, a multiplexing device, a firewall device, or a devicethat performs a combination of routing, switching, security functions,and/or multiplexing functions. In one implementation, network device 110may be a digital device. In another implementation, network device 110may be an optical device. In yet another implementation, network device110 may be a combination of a digital device and an optical device.

Network device 110 may store one or more applications that are used toperform network management activities, as described further below withreference to FIG. 3. Examples of network management activities mayinclude updating security protocols, updating forwarding protocols,updating a VLAN configuration, etc. Network device 110 may transmitmessages associated with the network management activities to loggingserver 120.

Logging server 120 may include one or more server devices, or othertypes of devices, that gather, process, search, store, and/or provideinformation in a manner described herein. Logging server 120 may receivemessages from network devices 110. Logging server 120 may determinewhich messages satisfy a criterion, and may correlate the messages thatsatisfy the criterion with other related messages. Logging server 120may create records based on the correlated messages, and may provideinformation from the records in response to requests from operators ofnetwork devices 110.

Client device 130 may include any device used by an operator to accessand/or use an application of network device 110. In one implementation,client device 130 may include a device that is capable of communicatingwith network device 110 via network 105. For example, client device 110may include a radiotelephone; a personal communications system (PCS)terminal that may combine a cellular radiotelephone with data processingand data communications capabilities; a personal digital assistant (PDA)that can include a radiotelephone, a pager, Internet/intranet access,etc.; a wireless device (e.g., a wireless telephone); a smart phone; aworkstation computer; a laptop computer; a personal computer; or othertypes of computation or communication devices. In anotherimplementation, each network device 110, of one or more network devices110, may include client device 130. In other words, the one or morenetwork devices 110 may operate as client devices 130. Herein, “networkdevice 110” may refer to client device 130 that is executing networkmanagement applications that are described below with reference to FIG.3.

FIG. 2 is a diagram of example components of a device 200, which maycorrespond to network device 110 and/or logging server 120. Each one ofnetwork device 110 and/or logging server 120 may include one or moredevices 200 and/or one or more of each one of the components of device200. As shown in FIG. 2, device 200 may include a bus 210, a processor220, a memory 230, and an input/output component 240.

Although FIG. 2 illustrates example components of device 200, in otherimplementations, device 200 may include additional components, fewercomponents, different components, or differently arranged componentsthan those illustrated in FIG. 2 and described herein. Alternatively, oradditionally, one or more components of device 200 may perform one ormore tasks described as being performed by one or more other componentsof device 200.

Bus 210 may include a path that permits communication among thecomponents of device 200. Processor 220 may include a processor, amicroprocessor, or processing logic (e.g., an application specificintegrated circuit (ASIC) or a field programmable gate array (FPGA))that may interpret and execute instructions. Memory 230 may include arandom access memory (RAM) or another type of dynamic storage devicethat may store information and instructions for execution by processor220; a read only memory (ROM) or another type of static storage devicethat may store static information and instructions for use by processor220; a magnetic and/or optical recording medium and its correspondingdrive; and/or a removable form of memory, such as a flash memory.

Input/output component 240 may include a mechanism that permits anoperator to input information to device 200, such as a keyboard, akeypad, a mouse, a button, a pen, a touch screen, etc., and/or amechanism that outputs information to the operator, including a display,a light emitting diode (LED), a speaker, etc. Additionally, oralternatively, input/output component 240 may include anytransceiver-like mechanism that enables device 200 to communicate withother devices and/or systems. For example, input/output component 240may include a wired interface (e.g., an Ethernet interface, an opticalinterface, etc.), a wireless interface (e.g., a radio frequency (RF)interface, a wireless fidelity (Wi-Fi) interface, a Bluetooth interface,etc.), or a combination of a wired interface and a wireless interface.

As will be described in detail below, device 200 may perform certainoperations. Device 200 may perform these and other operations inresponse to processor 220 executing software instructions (e.g.,computer program(s)) contained in a computer-readable medium, such asmemory 230, a secondary storage device (e.g., hard disk, CD-ROM, etc.),etc. A computer-readable medium may be defined as a non-transitorymemory device. A memory device may include a space within a singlephysical memory device or spread across multiple physical memorydevices. The software instructions may be read into memory 230 fromanother computer-readable medium or from input/output component 240. Thesoftware instructions contained in memory 230 may cause processor 220 toperform processes described herein. Alternatively, hardwired circuitrymay be used in place of or in combination with software instructions toimplement processes described herein. Thus, implementations describedherein are not limited to any specific combination of hardware circuitryand software.

FIG. 3 is a diagram of example functional components of network device110. As shown in FIG. 3, network device 110 may include a group ofnetwork management applications 310-1, . . . , 310-M (where M≧1)(hereinafter referred to collectively as “network managementapplications 310” and individually as “network management application310”).

Although FIG. 3 shows example functional components of network device110, in other implementations, network device 110 may include fewerfunctional components, different functional components, and/oradditional functional components than those depicted in FIG. 3.Alternatively, or additionally, one or more functional components ofnetwork device 110 may perform one or more tasks described as beingperformed by one or more other functional components of network device110.

Network management application 310 may include an application that isused to perform a network management activity. The network managementactivity may include, for example, configuring network device 110, whichexecutes network management application 310, and/or one or more othernetwork devices 110. As one example, network management application 310may include an element management system (EMS) application. An operatormay use an EMS application to manage functions and/or capabilitieswithin one or more network devices 110. As a second example, networkmanagement application 310 may include a network management systems(NMS) application. An operator may use an NMS application to managetraffic between network devices 110. In another example, networkmanagement application 310 may include an application that includes oneor more functionalities of an EMS application and one or morefunctionalities of an NMS application. Network management application310 may include additional or other types of applications that can beused to perform network management activities.

When network management application 310 is used to perform a networkmanagement activity, network management application 310 may generate amessage associated with the network management activity. Networkmanagement application 310 may transmit the message to logging server120. A message, as used herein, may refer to a system logging (syslog)message, a simple network management protocol (SNMP) message, or anothertype of message.

FIG. 4 is a diagram of example functional components of a logging server120. As shown in FIG. 4, logging server 120 may include a messagereceiver 410, a correlation engine 420, a records storage 430, and aninformation provider 440.

Although FIG. 4 shows example functional components of logging server120, in other implementations, logging server 120 may include fewerfunctional components, different functional components, and/oradditional functional components than those depicted in FIG. 4.Alternatively, or additionally, one or more functional components oflogging server 120 may perform one or more tasks described as beingperformed by one or more other functional components of logging server120.

Message receiver 410 may receive messages from network managementapplications 310 (FIG. 3) of network devices 110. Message receiver 410may store the messages, and/or may forward the messages to correlationengine 420.

Correlation engine 420 may determine whether a particular messagesatisfies a criterion. When correlation engine 420 determines that theparticular message satisfies the criterion, correlation engine 420 maycorrelate the particular message with other received messages that arerelated to the same network management activity as the particularmessage. Correlation engine 420 may create a record based on thecorrelated messages, including the particular message and the otherreceived messages. As one example, a group of messages have beenreceived relating to updating a forwarding protocol. Correlation engine420 may correlate the messages, and may create a record based oninformation extracted from the group of messages.

Correlation engine 420 may store the record in records storage 430.Records storage 430 may store records that are associated with differentnetwork management activities.

Information provider 440 may provide information based on the recordsstored in records storage 430. In one example, information provider 440may receive a search query from a user interface of an operator.Information provider 440 may identify one or more records based on thesearch query, and may provide information from the one or moreidentified records to the user interface.

FIG. 5 is a diagram of an example record 500 that stores informationassociated with a network management activity. Record 500 may be storedin records storage 430 (FIG. 4). As shown in FIG. 5, record 500 mayinclude a collection of fields, such as a session identifier (ID) field505, a device information field 510, a time field 515, an operatorinformation field 520, an application information field 525, an actioninformation field 530, and/or a connection information field 535.

The quantity of fields in record 500 is included for explanatorypurposes. In practice, record 500 may include additional fields, fewerfields, and/or different fields than are described with respect torecord 500.

Session ID field 505 may include information that uniquely identifies asession associated with a network management activity performed by usingnetwork device 110. The network management activity may occur during thesession. Device information field 510 may store information (e.g., adevice identifier (ID), an Internet protocol (IP) address, etc.)associated with network device 110. Time field 515 may identify a firsttime at which the network management activity was started and/or asecond time at which the network management activity ended.

Operator information field 520 may store information that identifies anoperator of network device 110, such as a network administrator, whoused network device 110 to perform the network management activity.Operator information field 520 may include, for example, a username, apassword, a personal identification number (PIN), etc. In someinstances, the network management activity may be initiatedautomatically by network device 110 (e.g., when network device 110receives a particular type of file from another network device 110). Inthese instances, operator information field 520 may not include anyinformation or may indicate that the network management activity wasinitiated automatically by network device 110.

Application information field 525 may store information that identifiesan application of network device 110 used to perform the networkmanagement activity. Additionally, or alternatively, applicationinformation field 525 may store a type of the session associated withthe network management activity. The type of the session may correspondto a type of the application.

Action information field 530 may store information that identifies oneor more actions that were performed, during the session, in order toinitiate and/or complete the network management activity. Actioninformation field 530 may include, for example, information about one ormore of command(s) received by network device 110 during the session,type(s) of configuration(s) pushed to network device 110 during thesession, and/or types of SNMP requests received by network device 110during the session. Additionally, or alternatively, action informationfield 530 may store information associated with a configuration changeimplemented on network device 110. The information associated with theconfiguration change may identify a type of configuration change and/ortypes of job(s) associated with the network management activity (e.g.,update security protocols, forwarding protocols, a VLAN configuration, aQuality of Service (QoS) policy, etc.).

Connection information field 535 may store information that specifies atype of connection used by the operator to interact with network device110 while performing the network management activity. Connectioninformation field 535 may, for example, identify one or more of anoutbound secure shell (SSH) connection, an inbound SSH connection, aTelenet connection, a web management connection, etc.

FIG. 6 is a flow chart of an example process 600 for generating andtransmitting messages associated with a network management activity. Inone example implementation, process 600 may be performed by networkdevice 110. In another example implementation, some or all of process600 may be performed by a device or collection of devices separate from,or in combination with, network device 110.

As shown in FIG. 6, process 600 may include receiving a request to loginto an application (block 610) and starting a session (block 620). Forexample, an operator may use client device 130 to open a particular typeof interface, such as a graphical user interface (GUI) or a command lineinterface (CLI). The operator may use the interface to establish aparticular type of connection, such as a SSH connection, with networkdevice 110. The operator may enter, into the interface, a request to loginto a particular application, of network device 110. Client device 130may transmit the request to network device 110 via the particular typeof connection. Network device 110 may receive the request from clientdevice 130. In response to the request, network device 110 may start asession during which the operator may use the particular application toperform a network management activity. Starting the session may includeassigning a session ID that uniquely identifies the session and logginginto the particular application so that the operator may use theapplication via the interface.

Process 600 may further include generating a message for a log-in eventand transmitting the message to a logging server (block 630). Forexample, the particular application, of network device 110, may generatea first message for a log-in event (e.g., when network device 110 loggedinto the application). The first message may include one or moreparameters, including a tag that identifies the log-in event (e.g., alogin event tag), a client mode value that identifies the particulartype of interface used by the operator to interact with network device110 via client device 130, a process name that identifies a type of aprocess used by network device 110 to perform the log-in, the sessionID, information that identifies network device 110, information thatidentifies the operator, information that identifies the application,information that identifies a type of action associated with the log-in,information that identifies the particular type of connection used byclient device 130 to connect to network device 110, a primary processidentifier (pid) that identifies the process used by the particularapplication for the log-in, etc. Network device 110 may transmit thefirst message to logging server 120.

Process 600 may also include receiving a command and performing one ormore actions based on the command (block 640). For example, the operatormay enter, into the interface, a command to use the particularapplication to configure network device 110. Client device 130 maytransmit the command to network device 110. Network device 110 mayreceive the command, and the particular application, of network device110, may perform one or more actions to configure network device 110based on the command.

Process 600 may also include generating a message for a new event andtransmitting the message to the logging server (block 650). For example,the particular application, of network device 110, may generate a secondmessage for a new event (i.e., when network device 110 performs the oneor more actions based on the command). The second message may include atag that identifies a type of the command (e.g., a configuration commandtag), information that identifies the one or more actions, and/or otherinformation associated with the configuration of network device 110. Inone example, the second message may include information identifyingevery action taken by the operator and/or every change made to networkdevice 110. The second message may further include one or more of thetypes of parameters that are described above as possibly being includedin the first message. The second message may also include a secondarypid. The secondary pid may identify a process used by the particularapplication for the new event, and/or may include a reference to theprimary pid that is included in the first message. Network device 110may transmit the second message to logging server 120.

Network device 110 may continue to receive commands, perform actionsbased on the commands, and generate new messages associated with thecommands and/or the actions. The new messages may include the same typesof information as described above as possibly being included in thesecond message. Network device 110 may transmit the new messages tologging server 120.

Process 600 may also include receiving a request to log-out of theapplication (block 660). For example, the operator may enter a request,to log-out of the particular application, into the interface. Clientdevice 130 may transmit the request, to log-out of the particularapplication, to network device 110. Network device 110 may receive therequest from client device 130. In response to the request, networkdevice 110 may log out of the particular application, and may end thesession.

Process 600 may also include generating a message for a log-out eventand transmitting the message to the logging server (block 670). Forexample, the particular application, of network device 110, may generatea final message for the log-out event (e.g., when network device 110logs out of the application). The final message may include one or moreparameters, including a tag that identifies the log-out event (e.g., alog-out event tag) and/or one or more other types of parameters that aredescribed above as possibly being included in the first message and/orthe second message. Network device 110 may transmit the final message tologging server 120. Logging server 120 may generate a record, for thenetwork management activity that occurred during the session, based oninformation included in the first message, the second message, the othernew messages, and/or the final message.

FIG. 7 is a flow chart of an example process 700 for creating a record.In one example implementation, process 700 may be performed by loggingserver 120. In another example implementation, some or all of process700 may be performed by a device or collection of devices separate from,or in combination with, logging server 120.

As shown in FIG. 7, process 700 may include receiving a message from anetwork device (block 710) and extracting a tag, a client mode value,and/or a process name from the message (block 720). In oneimplementation, an operator may use network device 110 to perform anetwork management activity. Network device 110 may generate a firstmessage associated with an event (e.g., a log-in event), and maytransmit the first message to logging server 120. Logging server 120 mayreceive the first message from network device 110. The first message mayinclude a tag, a client mode value, a process name, and/or one or moreother types of parameters associated with the event. Network device 110may extract the tag, the client mode value, and/or the process name fromthe first message.

The tag may indicate, for example, a type of the event associated withthe first message. The tag may include, for example, a log-in event tag,a log-out event tag, an extensible markup language (XML) based protocolcommand tag, a network configuration protocol (NETCONF) command tag, acommand line read line tag, a database log-in event tag, a databaselog-out event tag, a login information tag, a configuration auditsettings tag, etc.

The client mode value may indicate, for example, a type of an interfacethat the operator used on client device 130, to interact with networkdevice 110, during the event associated with the first message. Theclient mode value may include, for example, a value that corresponds toa NETCONF graphical user interface (GUI), a value that corresponds to anXML based protocol interface, a value that corresponds to a command lineinterface (CLI), etc.

An application (e.g., network management application 310 (FIG. 3)) ofnetwork device 110 may use various processes to perform the networkmanagement activity. The process name may identify, for example, a typeof process that is used, by network device 110, to perform the eventassociated with the first message. For example, a first process name mayidentify a first type of process that is used, by network device 110,when the operator enters a command. A second process name may identify asecond type of process that is used, by network device 110, when networkdevice 110 receives a file.

Returning to FIG. 7, process 700 may further include determining whetherthe message satisfies a criterion (block 730). In one implementation,logging server 120 may store characteristics of a particular type ofmessage that satisfies a criterion. For example, the characteristics mayspecify that the particular type of message includes a particular tag, aparticular client mode value, and/or a particular process name. Loggingserver 120 may determine whether the first message satisfies thecriterion based on the characteristics and the parameters extracted fromthe first message. Further to the example above, logging server 120 maydetermine that the first message satisfies the criterion when theextracted tag matches the particular tag, when the extracted client modevalue matches the particular client mode value, and/or when theextracted process name matches the particular process name.

If the message does not satisfy the criterion (block 730—NO), process700 may include dropping the message (block 735). In one implementation,when logging server 120 determines that the first message does notsatisfy the criterion, logging server 120 may drop the first message. Inone example, dropping the first message may include removing the firstmessage from logging server 120 and ending process 700. In anotherexample, dropping the first message may include storing the firstmessage and ending process 700.

If the message satisfies the criterion (block 730—YES), process 700 mayinclude classifying the message (block 740). In one implementation, whenlogging server 120 determines that the first message satisfies thecriterion, logging server 120 may classify the first message. Forexample, logging server 120 may classify the first message based on atype of the application used by network device 110 to perform thenetwork management activity.

In one example, logging server 120 may determine the type of theapplication based on one or more parameters included in the firstmessage. For example, logging server 120 may determine that theapplication is of a particular type when the first message includes theextracted client mode value and the extracted tag (e.g., a log-in eventtag). In this example, logging server 120 may classify the first messageas being associated with the particular type of the application.

In another example, the first message may include a value thatidentifies a particular type of application. Logging server 120 mayextract the value from the first message, and may classify the firstmessage as being associated with the particular type of the applicationbased on the value.

Process 700 may also include determining a session ID associated withthe message (block 750). In one implementation, the first message mayalso include a session ID that identifies a session associated with thenetwork management activity. Logging server 120 may extract the sessionID from the first message.

Process 700 may also include receiving and correlating related messages(block 770). In one implementation, after classifying the first message,logging server 120 may receive other messages from network device 110,and may identify messages that are associated with the same session asthe first message. Further to the example above, the first message maybe for a log-in event, and may include a primary pid. Logging server 120may receive a second message for a different event (e.g., that occurredwhen the operator entered a command). The second message may include,for example, a command tag and a secondary pid. The secondary pid mayinclude a reference to the primary pid of the first message. Loggingserver 120 may determine that the second message is for the same sessionas the first message based on the command tag and/or the secondary pid.Logging server 120 may correlate the second message to the first messagesince the first message and the second message are related to the samesession. In this manner, logging server 120 may continue to receive andcorrelate one or more other messages that are related to the firstmessage. In one example, logging server 120 may determine that there areno more messages to receive and correlate after receiving andcorrelating a final message for a log-out event.

Process 700 may also include creating a record (block 770). In oneimplementation, one or more of the correlated messages may includedifferent pieces of information associated with the network managementactivity. In one example, the first message may include the session ID;the second message may identify the command entered by the operatorand/or include device information (e.g., an IP address) associated withnetwork device 110; a third message, of the correlated messages, mayidentify one or more actions performed by network device 110 and/orinclude the connection information; etc. In another example, the firstmessage may include the device information (e.g., the IP address and aport associated with network device 110) and operator information (e.g.,a user ID) associated with the operator of network device 110; thesecond message may indicate that the operator used the application toenter a particular mode for editing a database; a third message, of thecorrelated messages, may indicate that the operator exited theparticular mode; etc.

Logging server 120 may store rules (e.g., associated with the type ofthe application) that specify which ones of the correlated messagesinclude which types of information (e.g., the session ID, the deviceinformation, etc.) and/or where the information is included in thecorrelated messages. Logging server 120 may extract the information fromthe correlated messages based on the rules. Additionally, oralternatively, logging server 120 may use some of the extractedinformation to determine additional information associated with thenetwork management activity. For example, logging server 120 mayextract, from one of the correlated messages, an IP address of asouth-bound interface of network device 110. Logging server 120 may usethe extracted IP address to determine a virtual IP address associatedwith network device 110. Logging server 120 may create the record (e.g.,record 500 shown in FIG. 5) based on the extracted information and/orthe additional information determined by logging server 120.

FIG. 8 is a diagram of an example user interface 800 that allows anoperator to view information associated with a network managementactivity. As shown in FIG. 8, user interface 800 may include acollection of fields and/or buttons, such as a device ID search field805, an application search field 810, an action search field 815, asearch button 818, a records found field 820, a session ID field 822, adevice ID field 825, an action information field 830, a connectioninformation field 835, a time field 840, and an application informationfield 845.

The quantity of fields and/or buttons, included within user interface800, is provided for explanatory purposes. In another exampleimplementation, there may be fewer fields and/or buttons, additionalfields and/or buttons, different fields and/or buttons, and/ordifferently arranged fields and/or buttons than shown in FIG. 8.

Device ID search field 805 may allow an operator to enter a search querybased on a device ID associated with a particular network device 110.Application search field 810 may allow the operator to enter a searchquery based on a type of application used for network managementactivities. Action search field 815 may allow the operator to enter asearch query based on a type of action performed during the networkmanagement activities.

Search button 818 may, when selected by the operator, cause loggingserver 120 to initiate a search based on the device ID entered intodevice ID search field 805, the application type entered intoapplication information search field 810, and/or the type of actionentered into action information search field 815. In another exampleimplementation, device ID search field 805, application informationsearch field 810, and/or action information search field 815 may becombined into a single field.

Records found field 820 may identify one or more records 850 thatlogging server 120 identifies as relevant to the search query enteredinto user interface 800 by the operator. Session ID field 822, device IDfield 825, action information field 830, connection information field835, time field 840, and application information field 845 may includeinformation from, for example, a record 861 that is selected by theoperator from records 850. Record 861 may correspond to record 500 (FIG.5).

Session ID field 822 may correspond to information in session ID field505 (FIG. 5) of record 861. Device ID field 825 may correspond to deviceinformation field 510 (FIG. 5) of record 861. Action field 830 maycorrespond to information in action information field 530 (FIG. 5) ofrecord 861. Connection field 835 may correspond to information inconnection information field 535 (FIG. 5) of record 861. Time field 840may correspond to information in time field 515 (FIG. 5) of record 861.Application information field 845 may correspond to information inapplication information field 525 (FIG. 5) of record 861. Additionally,or alternatively, user interface 800 may include other fields, such asan operator information field, etc. The operator information field maycorrespond to information in operator information field 520 (FIG. 5) ofrecord 861.

FIG. 9 is a flow chart of an example process 900 for presentinginformation of a record. In one example implementation, process 900 maybe performed by logging server 120. In another example implementation,some or all of process 900 may be performed by a device or collection ofdevices separate from, or in combination with, logging server 120. Aportion of process 900 of FIG. 9 will be described below with referencesto user interface 800 of FIG. 8.

As shown in FIG. 9, process 900 may include receiving a search query viaa user interface (block 910) and identifying one or more records basedon the search query (block 920). For example, an operator (e.g., anetwork administrator) may send a request to logging server 120 tosearch for information associated with network management activities. Inresponse to the request, logging server 120 may provide a user interface(e.g., user interface 800) that allows the operator to enter a searchquery.

As described above with reference to FIG. 8, the operator may enter adevice ID (e.g., 110-2) into device ID search field 805, a type ofapplication into application information search field 810, and/or a typeof action into action information field 815. The operator may selectsearch button 818, which may cause logging server 120 to receive thesearch query. The search query may include the device ID, the type ofapplication, and/or the type of action. Logging server 120 may perform asearch of stored records by comparing the search query with the storedrecords. Logging server 120 may identify one or more records 850 thatinclude the device ID, the type of application, and/or the type ofaction included in the search query.

As further shown in FIG. 9, process 900 may include presenting the oneor more records via the user interface (block 930) and receiving aselection of a record via the user interface (block 940). For example,logging server 120 may present for display, via the user interface,records 850 in records found field 820. The operator may select, forexample, record 861 in records found field 820, and logging server 120may receive a selection of record 861 via user interface 800.

Process 900 may also include retrieving information associated with theselected record (block 950) and presenting the retrieved information viathe user interface (block 960). For example, logging server 120 mayretrieve network management activity information 855 from record 861.Logging server 120 may present network management activity information855 via user interface 800.

Network management activity information 855 may include a session ID(e.g., 101), a device ID (e.g., 110-2), a type of action (e.g., modifyrouting protocol), a type of connection (e.g., SSH), a time (e.g.,12:46:36) associated with the network management activity, and a type ofapplication (e.g., EMS) used to perform the network management activity.Additionally, or alternatively, logging server 120 may present othernetwork management activity information from a record 862, a record 863,and/or a record 864.

In one implementation, the operator may use records 850 and/or networkmanagement activity information 855 to identify a condition associatedwith network device 110 and/or to troubleshoot a condition that has beendetected on network 100. In one example, records 850 and/or networkmanagement activity information 855 may allow the operator to determinethat a particular action, corresponding to a record, that may be causinga problem in network 100. In another example, records 850 and/or networkmanagement activity information 855 may allow the operator to identifyactions, performed by network device 110, that are in conflict or causenetwork device 110 to establish policies or protocols that are notcompatible with network device 110. In yet another example, records 850and/or network management activity information 855 may allow the networkadministrator to identify a record or network management activityinformation associated with an action that was performed, by networkdevice 110, at a time when network device 110 began to malfunction.

A system and/or method, described herein, may enable collection ofinformation associated with network management activities performedusing different types of applications of network devices 110. A networkadministrator may access the collected information to, for example, fixand/or prevent problems within network 100.

The foregoing description of implementations provides illustration anddescription, but is not intended to be exhaustive or to limit theimplementations to the precise form disclosed. Modifications andvariations are possible in light of the above teachings or may beacquired from practice of these implementations.

For example, while series of blocks have been described with regards toFIGS. 6 and 8, the order of the blocks may be modified in otherimplementations. Further, non-dependent blocks may be performed inparallel.

It will be apparent that example aspects, as described above, may beimplemented in many different forms of software, firmware, and hardwarein the embodiments illustrated in the figures. The actual software codeor specialized control hardware used to implement these aspects shouldnot be construed as limiting. Thus, the operation and behavior of theaspects were described without reference to the specific softwarecode-it being understood that software and control hardware could bedesigned to implement the aspects based on the description herein.

Even though particular combinations of features are recited in theclaims and/or disclosed in the specification, these combinations are notintended to limit the disclosure of the invention. In fact, many ofthese features may be combined in ways not specifically recited in theclaims and/or disclosed in the specification. Although each dependentclaim listed below may directly depend on only one other claim, thedisclosure of the invention includes each dependent claim in combinationwith every other claim in the claim set.

No element, act, or instruction used in the present application shouldbe construed as critical or essential to the invention unless explicitlydescribed as such. Also, as used herein, the article “a” is intended toinclude one or more items. Where only one item is intended, the term“one” or similar language is used. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise.

1-20. (canceled)
 21. A method comprising: identifying, by a networkdevice, one or more parameters associated with a session, the one ormore parameters including one or more of: first information identifyinga type of interface being used by an operator to interact with thenetwork device, or second information identifying a type of process usedby the network device for an event; generating, by the network device, amessage for the event based on the one or more parameters; andtransmitting, by the network device, the message to a logging server,the message to be correlated by the logging server with one or moremessages associated with the session based on the one or moreparameters.
 22. The method of claim 21, where the event is a log-inevent when the network device logs into an application, and where themessage includes a tag that identifies the log-in event.
 23. The methodof claim 21, further comprising: receiving a command; generating adifferent message based on receiving the command; and transmitting thedifferent message to the logging server.
 24. The method of claim 23,where the message includes a primary process identifier, and where thedifferent message includes a secondary process identifier that includesa reference to the primary process identifier.
 25. The method of claim23, where the command is to use an application to configure the networkdevice, and where the method further comprises: performing one or moreactions to configure the network device based on the command.
 26. Themethod of claim 21, further comprising: receiving, from a client device,a request to log-out of an application; and transmitting, to the loggingserver, a different message for a log-out event based on receiving therequest to log-out.
 27. The method of claim 21, further comprising:assigning a session identifier that uniquely identifies the session, theone or more parameters further including the session identifier; andlogging into an application for the operator to use the application tointeract with the network device.
 28. A network device comprising: oneor more processors to: identify one or more parameters associated with asession, the one or more parameters including information identifying atype of interface being used by an operator to interact with the networkdevice; generate a message for an event based on the one or moreparameters; and transmit the message to a logging server, the message tobe correlated by the logging server with one or more messages associatedwith the session based on the one or more parameters.
 29. The networkdevice of claim 28, where the event is a log-in event when the networkdevice logs into an application, and where the message includes a tagthat identifies the log-in event.
 30. The network device of claim 28,where the one or more processors are further to receive a command;generate a different message based on receiving the command; andtransmit the different message to the logging server.
 31. The networkdevice of claim 30, where the message includes a primary processidentifier, and where the different message includes a secondary processidentifier that includes a reference to the primary process identifier.32. The network device of claim 30, where the command is to use anapplication to configure the network device, and where the one or moreprocessors are further to: perform one or more actions to configure thenetwork device based on the command.
 33. The network device of claim 28,where the one or more processors are further to: receive, from a clientdevice, a request to log-out of an application; and transmit, to thelogging server, a different message for a log-out event based onreceiving the request to log-out.
 34. The network device of claim 28,where the one or more processors are further to: assign a sessionidentifier that uniquely identifies the session, the one or moreparameters further including the session identifier; and log into anapplication for the operator to use the application to interact with thenetwork device.
 35. A non-transitory computer-readable medium storinginstructions, the instructions comprising: one or more instructionsthat, when executed by a network device, cause the network device to:identify one or more parameters associated with a session, the one ormore parameters including information identifying a type of process usedby the network device for an event; generate a message for the eventbased on the one or more parameters; and transmit the message to alogging server, the message to be correlated by the logging server withone or more messages associated with the session based on the one ormore parameters.
 36. The non-transitory computer-readable medium ofclaim 35, where the instructions further comprise: one or moreinstructions to: receive a command to use an application to configurethe network device; generate a different message based on receiving thecommand; and transmit the different message to the logging server. 37.The non-transitory computer-readable medium of claim 36, where theinstructions further comprise: one or more instructions to perform oneor more actions to configure the network device based on the command.38. The non-transitory computer-readable medium of claim 35, where theinstructions further comprise: one or more instructions to transmit adifferent message to the logging server, where the message includes aprimary process identifier, and where the different message includes asecondary process identifier that includes a reference to the primaryprocess identifier.
 39. The non-transitory computer-readable medium ofclaim 35, where the instructions further comprise: one or moreinstructions to: receive, from a client device, a request to log-out ofan application; and transmit, to the logging server, a different messagefor a log-out event based on receiving the request to log-out.
 40. Thenon-transitory computer-readable medium of claim 35, where theinstructions further comprise: one or more instructions to: assign asession identifier that uniquely identifies the session, the one or moreparameters further including the session identifier; and log into anapplication for an operator to use the application to interact with thenetwork device.